Computer method and graphical user interface for identity management

ABSTRACT

According to embodiments, a global identity (ID) is generated by receiving a plurality of documents which, in total, only a particular person has ready access, and assigning a global ID to actual name of the particular person. Registration on the blockchain gives others a way to verify that a transaction was signed by the person and sent from the person&#39;s personal electronic device by transmitting a challenge message to the person as a digital challenge, and verifying that the person possesses a corresponding private key by responding with an encrypted message that can be decrypted to display the original message.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation-in-Part of U.S. patent application Ser. No. 16/706,520, entitled “COMPUTER METHOD AND GRAPHICAL USER INTERFACE FOR IDENTITY MANAGEMENT USING BLOCKCHAIN”, filed Dec. 6, 2019 (Docket No.: 3060-001-03), which claims benefit of U.S. Provisional Patent Application No. 62/776,214, entitled “COMPUTER METHOD FOR IDENTITY MANAGEMENT USING BLOCKCHAIN,” filed Dec. 6, 2018 (Docket No.: 3060-001-02); which, to the extent not inconsistent with the disclosure herein, are incorporated by reference.

SUMMARY

A computer method for establishing a secure identity (ID) and graphical user interface (GUI) therefor includes presenting, on an electronic display (e.g., of a personal electronic device such as a mobile phone, tablet, personal computer, smart home device or the like), a GUI including one or more entry fields for receiving a global ID, an actual name, and a designation of one or more ID proof references from a particular person. The computer method includes receiving, via the GUI, inputs including the global ID, the actual name, and the one or more ID proof references associated with the particular person, transmitting, into a computer memory of a server computer, the global ID, the actual name, and the one or more ID proof references associated with the particular person, and transmitting, from a personal electronic device associated with the particular person into the computer memory of the server computer, a verified identifier of the personal electronic device. The computer method includes generating, in the server computer or the personal electronic device, at least one private key associated with the global ID, and generating, in the server computer or the personal electronic device, at least one public key associated with the global ID. The computer method includes encrypting the actual name, the personal electronic device identifier, and the one or more ID proof references as encrypted ID data using the public key, and immutably storing, in a plurality of non-transitory computer readable memories, access information for the global ID, the encrypted ID data, and the at least one private key for decrypting an ID verification.

According to an embodiment, a computer method for establishing a secure global identity (ID) includes receiving, into a computer memory of a server computer, a global ID associated with a particular person; receiving, into the computer memory, an actual name of the particular person; and receiving, into the computer memory, a verified identifier (e.g., an IMEI) of a personal electronic device associated with the particular person. A first plurality of ID proof references associated with the particular person are received into the computer memory. The computer method includes generating at least one private key associated with the global ID and generating at least one public key associated with the global ID. The computer method includes using the public key to encrypt the actual name, the personal electronic device identifier, and the first plurality of ID proof references as encrypted ID data; and immutably storing the global ID, the encrypted ID data, and the at least one private key for decrypting an ID verification in a plurality of non-transitory computer readable memories. Immutably storing the global ID, the encrypted ID data, and the at least one public key for decrypting an ID verification in a plurality of non-transitory computer readable memories may include immutably storing the global ID, the encrypted ID data, and the at least one private key for decrypting an ID verification in a blockchain carried by the plurality of non-transitory computer readable memories.

According to an embodiment, a computer method for verifying a secure global ID includes receiving a global ID verification challenge from a counterparty via a network interface, reading encrypted ID data from one or more non-transitory computer readable memories, parsing the encrypted ID data to obtain a verified identifier of a personal electronic device corresponding to the global ID, and transmitting the global ID verification challenge to the personal electronic device. Upon receipt, the person to whom the global ID corresponds may respond to the global ID verification challenge by providing an input to the personal electronic device via a graphical user interface (GUI). A local application may transmit the response to a server computer, which receives an acknowledgement of the global ID verification challenge. Upon receipt of the response, the server computer transmits a response to the global ID verification challenge to the counterparty. Reading encrypted ID data from one or more non-transitory computer readable memories may include reading a blockchain carried by the plurality of non-transitory computer readable memories.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a flow chart showing a computer method for establishing a secure identity (ID) using a graphical user interface (GUI), according to an embodiment.

FIG. 1B is a flowchart showing a computer method 121 for establishing a secure digital identity (ID) using a graphical user interface (GUI), according to another embodiment

FIG. 2 is a diagram showing several forms of identity (ID) proof references, according to embodiments.

FIG. 3 is a diagram showing attributes of several ID proof references, according to embodiments.

FIG. 4 is a flow chart showing a computer method for establishing a secure ID, according to an embodiment.

FIG. 5 is a diagram of a graphical user interface (GUI) for receiving a global ID from a user, according to an embodiment.

FIG. 6 is a diagram of a GUI that may be displayed to a user during generation of at least one private key, according to an embodiment.

FIG. 7 is a diagram of a GUI that may be displayed to a user during generation of at least one public key, according to an embodiment.

FIG. 8 is a diagram showing relationships between data elements carried by a personal electronic device and a blockchain, according to embodiments.

FIGS. 9 and 10 are diagrams of a GUI for receiving a first plurality of ID proof references, where the ID proof reference is a physical document, according to embodiments.

FIGS. 11 and 12 are diagrams of a GUI for receiving the first plurality of ID proof references, where the ID proof reference is an electronic account, according to embodiments.

FIG. 13 is a diagram of a GUI for displaying an ID confidence interval to a user, according to an embodiment.

FIG. 14 is a diagram showing relationships between data elements carried by a personal electronic device, a blockchain, and a credit card company server, the credit card company acting as an ID proof reference and with the private key displacing a card not present e-commerce source of payment, according to an embodiment.

FIG. 15 is a flow chart showing a computer method for verifying a secure identity, according to an embodiment.

FIG. 16 is a diagram illustrating interactions between an e-commerce retailer's website or application, and a GUI for providing a secure response to a cryptographic identity challenge, according to an embodiment.

FIG. 17 is a diagram showing GUIs for one click underwriting using a lender's website and a GUI for entering authorization for access to financial information via a response to a digital challenge, according to an embodiment.

DETAILED DESCRIPTION

In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. Other embodiments may be used and/or other changes may be made without departing from the spirit or scope of the disclosure.

In everyday life, there are situations where proof of identity is needed. Some examples include instances such as unlocking one's hotel room, starting one's car, entering a secured facility, applying for a loan, applying for a job, boarding an airplane, proving one's citizenship, accessing one's checking account, charging an expense to one's company, and endorsing a document.

According to embodiments, a decentralized platform using blockchain technology may provide proof of identity with a secure, encrypted digital token stored on a person's personal device. Illustrative UI/UX designs may support:

-   -   signing any legal document from your mobile phone,     -   applying for mortgages, loans and insurance using one click,     -   replacing all one's usernames with a fingerprint,     -   entering secured facilities by presenting one's mobile phone,     -   control who can see one's sensitive and secure medical,         financial and legal information,     -   paying online without entering any credit card numbers,     -   providing digital proof of residence, employment, citizenship,         insurance and title, and/or     -   securing all one's private keys, including cryptocurrency         wallets.

According to embodiments, the identity platform may include one or several of the following aspects:

-   -   Identity Token: A person's mobile phone registered on a         blockchain as a secure digital proxy for the person.     -   Bilateral Digital Signatures With Custody: Trustless protocol to         share sensitive data, with cryptographic proof on every         transaction.     -   Self-Sovereign Data Network: Network of Institutions to share         sensitive data, with ad hoc and on-demand permissions. (Data         should be self-sovereign, meaning that an individual has         authority to determine uses of his data. This may use a         decentralized, permission-based protocol.)     -   Probabilistic Affirmation: Proprietary heuristics to govern         operations under a paradigm of certain and unavoidable fraud.

FIG. 1A is a flow chart showing a computer method 100 for establishing a secure identity (ID) and graphical user interface (GUI) therefor, according to an embodiment. According to an embodiment, the computer method 100 for establishing a secure ID and GUI therefor includes, in step 102, presenting, on an electronic display, a GUI including one or more entry fields for receiving a global ID, an actual name, and a designation of one or more ID proof references from a particular person. Step 103 includes receiving, via the GUI, inputs including the global ID, the actual name, and the one or more ID proof references associated with the particular person. Step 104 includes transmitting, into a computer memory of a server computer, the global ID, the actual name, and the one or more ID proof references associated with the particular person. Step 106 includes transmitting, from a personal electronic device associated with the particular person into the computer memory of the server computer, a verified identifier of the personal electronic device (typically, this is the device that the electronic display is a part of). Step 110 includes generating, in the server computer or the personal electronic device, at least one password or public key (encryption key) associated with the global ID. Step 112 includes generating, in the server computer or the personal electronic device (unless symmetric encryption is used), at least one private key (decryption key) associated with the global ID. Step 114 includes, using the public key, encrypting the actual name, the personal electronic device identifier, and the one or more ID proof references as encrypted ID data. Step 116 includes immutably storing, in a plurality of non-transitory computer readable memories, access information for the global ID, the encrypted ID data, and the at least one private key for decrypting an ID verification.

According to an embodiment, the step of immutably storing access information for the global ID, the encrypted ID data, and the at least one private key for decrypting an ID verification in the plurality of non-transitory computer readable memories, in step 116, includes immutably storing access information for the global ID and the at least one private key for decrypting the ID verification in a blockchain carried by a plurality of non-transitory computer readable memories, storing the encrypted ID data in a networked storage facility, and storing an access coordinate for the encrypted ID data in the blockchain carried by the plurality of non-transitory computer readable memories. According to an alternative embodiment, the step of immutably storing access information for the global ID, the encrypted ID data, and the at least one private key for decrypting the ID verification in the plurality of non-transitory computer readable memories, in step 116, includes immutably storing access information for the global ID in a blockchain carried by the plurality of non-transitory computer readable memories, and storing the at least one private key for decrypting the ID verification and the encrypted ID data in a networked storage facility accessed by the blockchain carried by the plurality of non-transitory computer readable memories.

According to an embodiment, the computer method 100 for establishing a secure ID and GUI therefor further includes, in step 108, establishing a communication channel between the personal electronic device and the server computer. In one embodiment, establishing the communication channel between the personal electronic device and the server computer includes transmitting, into the computer memory of the server computer, access data for the personal electronic device. In another embodiment, establishing the communication channel between the personal electronic device and the server computer includes installing, on the personal electronic device, an application configured to receive push notifications from the server computer.

According to an embodiment, the computer method 100 for establishing a secure ID and GUI therefor further includes, in step 118, encrypting the public key used for the encryption of the ID data. Step 120 includes receiving the encrypted public key from the server computer for storage on the personal electronic device. Additionally and/or alternatively, receiving the encrypted public key, in step 120, includes receiving the encrypted private key to an application installed on the personal electronic device.

According to an embodiment, transmitting the global ID, in step 104, includes transmitting a sequence of characters from the personal electronic device to the server computer for querying the sequence of characters to determine that the sequence of characters is not assigned as a global ID, writing the sequence of characters into the server computer memory as the global ID for the user, and outputting, on the electronic display in the GUI, acceptance of the global ID.

According to an embodiment, the personal electronic device is an electronic device secured by a biometric.

According to an embodiment, transmitting the verified identifier of the personal electronic device associated with the particular person, in step 106, includes querying the personal electronic device for a hardware identifier and transmitting the hardware identifier in an encrypted data transmission. In one embodiment, the hardware identifier includes a unique device identifier. In another embodiment, the hardware identifier includes at least one selected from a group consisting of the International Mobile Equipment Identifier (IMEI), Android ID, iPhone ID, WLAN MAC address string, and Bluetooth address string. Additionally and/or alternatively, the hardware identifier includes a SIM card ID.

According to an embodiment, transmitting the one or more ID proof references associated with the particular person, in step 106, includes displaying an ID reference entry form as, or as part of, a GUI displayed on an electronic display of the personal electronic device, receiving a designation of an ID reference type via the GUI, and receiving at least one ID reference attribute via the GUI. In one embodiment, receiving a designation of an ID reference type includes receiving a designation of a physical document, and receiving at least one ID reference attribute includes capturing a digital image of the physical document. The physical document may include a passport. The physical document may include a birth certificate. Additionally and/or alternatively, the physical document may include a Social Security card.

According to an alternative embodiment, receiving a designation of an ID reference type includes receiving a designation of an electronic account, and receiving at least one ID reference attribute includes receiving an account institution and an account number via the GUI. In one embodiment, receiving an account institution includes receiving a credit or debit card issuer. In another embodiment, receiving an account institution includes receiving a bank name or a routing number. Additionally and/or alternatively, receiving a designation of an electronic account includes receiving a designation of an insurance policy, and receiving the account institution includes receiving the name of the insurance company.

According to an embodiment, the computer method 100 for establishing a secure ID and GUI therefor further includes analyzing, with the server computer, the one or more ID proof references associated with the particular person to determine a confidence interval, and displaying the confidence interval to the user via the GUI.

According to an embodiment, encrypting the actual name, the personal electronic device identifier, and the one or more ID proof references as encrypted ID data, in step 114, includes performing a digital hash of the actual name, the personal electronic device identifier, and the one or more ID proof references.

According to an embodiment, immutably storing access information for the global ID, the encrypted ID data, and the at least one private key or password for decrypting an ID verification in one or more computer memories, in step 116, includes writing hashed values of the global ID, the encrypted ID data, and the at least one private key for decrypting the ID verification to a blockchain as a transaction. In one embodiment, immutably storing the encrypted actual name and the one or more ID proof references includes referencing the global ID using a blockchain transaction.

Various types of blockchains are contemplated. In some embodiments, the blockchain may be a public blockchain. For example, a public blockchain may include a virtual machine, such as an Etherium blockchain. The Etherium blockchain may include an ERC20 token. Additionally or alternatively, the blockchain may include a private blockchain. In another embodiment, the blockchain comprises a permissioned blockchain.

FIG. 1B is a flowchart showing a computer method 121 for establishing a secure digital identity, according to another embodiment. The method 121 may start with step 122, which includes presenting, on an electronic display, a GUI including one or more entry fields for receiving an actual name of a person and a designation of one or more ID proof references corresponding to the named person. Step 124 includes receiving, into a server computer via the GUI, inputs including the actual name and the one or more ID proof references associated with the named person. Illustrative ID proof references are described elsewhere herein. Optionally, the electronic display for displaying the GUI that displays the entry fields may be an electronic display of the personal electronic device, described below.

In step 126, a global ID corresponding to the named person is obtained. The global ID may be obtained in various ways described herein, but in any case, the global ID includes a universally unique character string that does not include or decode as the actual name. Proceeding to step 128, the actual name and the one or more ID proof references are encrypted. Step 130 includes immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID. Various types of network locations, including combinations of network locations, may be used according to embodiments. Specific examples and embodiments are described herein.

Proceeding to step 132, an identifier corresponding to a personal electronic device associated with the person may be received. Proceeding to step 133, according to an embodiment, a communication channel between the personal electronic device and the server computer is established. In an embodiment, establishing the communication channel between the personal electronic device and the server computer includes receiving, from the personal electronic device into the server computer, an encryption key corresponding to a secure enclave of the personal electronic device for encrypting messages transmitted from the server computer to the personal electronic device, and transmitting, to the personal electronic device, an encryption key for encrypting messages transmitted from the personal electronic device to the server computer. This allows data traffic, including ID challenges and responses thereto, respectively transmitted to and received from the personal electronic device to be encrypted and secure.

In an embodiment, establishing the communication channel between the personal electronic device and the server computer includes writing, into a non-transitory computer memory of the server computer, access data for the personal electronic device. According to an embodiment, establishing the communication channel between the personal electronic device and the server computer in step 133 includes installing, on the personal electronic device, an application configured to receive push notifications from the server computer.

Step 133 may include encrypting a public key or password used for the encryption of the actual data and the one or more ID proof references and transmitting the encrypted public key or password from the server computer to the personal electronic device for storage on the personal electronic device. Transmitting the encrypted public key or password may include transmitting the encrypted public key to a secure enclave on the personal electronic device. An application installed on the personal electronic device may be provided access to receive data from the server computer and encrypt data for transmission to the server computer via the secure enclave.

In step 134, data corresponding to the personal electronic device identifier may be stored at a network location associated with the global ID.

The global ID may be anonymous unless a particular use case requires a visible relationship between the global ID and the actual name. In other embodiments, the global ID is visible or, as described herein, designated by the person corresponding to the actual name or their delegate.

Proceeding to step 140, one or more verifications of the global ID may be processed. Steps used in verification of the global ID are shown in FIG. 15 . Such verifications may be embodied as “signing” electronic challenges across a blockchain.

Referring to FIG. 15 , the global ID may be used to sign digital challenges associated with various commerce, transactions, and linking. For example, the server computer, server computer farm, and/or operatively (logically) coupled server computer, in step 1502 receives, from a counterparty device, a global ID challenge, and responsively, in step 1510, transmits an encrypted message requesting acknowledgement to the personal electronic device. Step 1512 includes receiving an acknowledgement of the global ID challenge from the personal electronic device. In many embodiments, the acknowledgement response or signing of a transaction is made only if a GUI display and control is actuated by a known person, such as the particular person. In step 1518, the server computer transmits a response to the global ID challenge to the counterparty device. Thus may be used by the counterparty device to enable completion of the transaction, commerce, or linking, etc.

For example, receiving the acknowledgement of the global ID challenge from the personal electronic device in step 1512 may include receiving input from the named person indicating the global ID challenge is to be responded to in the affirmative. For example, if the global ID challenge is from a vendor with whom the person wishes to complete a transaction, linking, etc., the person actuates a button or other control on the GUI indicating a command to positively respond to the global ID challenge.

Referring again to FIG. 1B, according to embodiments, a transaction, linking, etc. receiving input from the person includes receiving input from the person who is biometrically identified as the particular person corresponding to the global ID, the actual name, and the one or more ID proof references, or a delegate thereof. For example, transmitting a message requesting acknowledgement to the personal electronic device in step 1510 may include transmitting an encrypted message requesting acknowledgement to the personal electronic device.

According to embodiments, the method 121 includes, as shown in step 136, generating a public-private key pair comprising a public key and a private key related by a one-way function such as SHA-256 asymmetric encryption, then in step 138, associating the public-private key pair with the global ID. According to embodiments, encrypting the actual name and the one or more ID proof references in step 128 includes encrypting the actual name and the one or more ID proof references using the public key.

According to embodiments, obtaining the global ID in step 126 includes receiving an entry of a character string via a control (or input) of a GUI displayed on the personal electronic device, and determining there is no other global ID using the same character string to enable use of the character string. In such an example, associating the public-private key pair with the global ID in step 138 includes writing the global ID and the public key to a database defining the association. One diagram of an illustrative relationship is shown in FIG. 8 .

According to embodiments, referring again to steps 126 and 136, the public key or a linked public key operates as the global ID. For example, obtaining the global ID in step 126 may consist essentially of using the public key generated in step 136 as the global ID. In another example, the method 121 may include hashing the public key to generate a blockchain wallet address, and using the blockchain wallet address as the global ID. In this example, obtaining the global ID in step 126 may consist essentially of using the blockchain wallet address as the global ID.

According to embodiments, immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID, in step 130, includes broadcasting a blockchain transaction specifying a blockchain wallet associated with the public-private key pair as an endpoint. The blockchain broadcast may include a field, such as a memo field or OP_Return field carrying a content-identified address providing a link to the encrypted actual name and the encrypted one or more ID proof references in a content-identified storage network. For example, immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID in step 130 may include pinning the encrypted actual name and the one or more ID proof references in a content-identified storage network. The storage network may operate using a “location” designation that is a multi-hash of content of a file specifying or linking one or more of the actual name, the encrypted actual name, one or more ID proof references, such as content identified files (CIDs) using an inter-planetary file system (IPFS) node. Alternative storage networks are contemplated.

For example, the method 121 may include step 138, in which the public key or a password is used for the encrypting the actual name and the one or more ID proof references, and transmitting the encrypted public key or password from the server computer to the personal electronic device for storage on the personal electronic device. Transmitting the encrypted public key or password in step 138 may include transmitting the encrypted public key to a secure enclave on the personal electronic device. An application installed on the personal electronic device may be provided access to encrypt the actual name, a user-selected global ID, one or more ID proof references, and/or responses to challenges to the global ID to communicate with the server computer via the secure enclave.

The public key or password used for encrypting the actual name and the one or more ID proof references may be held in custody and not revealed to the named person. The global ID may be held in custody and not revealed to the named person.

The method 121 may proceed to step 125, including computing a confidence interval associated with the verification of the actual name provided by the one or more ID proof references and causing display of the confidence interval in a GUI displayed on the electronic display that presented the one or more entry fields in step 122. The computer method 121 may include re-computing and displaying the confidence interval when one or more additional ID proof references are received by the server computer via the GUI on the electronic display, in step 124.

Receiving the identifier corresponding to the personal electronic device associated with the person in step 132 may include querying the personal electronic device for a hardware identifier and receiving the hardware identifier in an encrypted data transmission.

Embodiments of presenting, on the electronic display, the GUI including one or more entry fields for designating the one or more ID proof references in step 122 may include driving the display to display an ID reference entry form as a GUI displayed on an electronic display of the personal electronic device. Receiving inputs including the actual name and the one or more ID proof references, in step 124, may includes receiving a designation of an ID reference type via the GUI and receiving at least one ID reference attribute via the GUI. A designation of an ID reference type may include a designation of a physical document. According to embodiments, an application on the personal electronic device operates a camera to capture a digital image of physical ID reference documents.

A physical document may include a passport, a birth certificate, a Social Security card a bank statement, a mortgage statement, a credit card bill, or other document provided in physical form.

Receiving a designation of an ID reference type may include receiving a designation of an electronic account. For example, receiving at least one ID reference attribute includes may include receiving an account institution and an account number via the GUI. A payment by credit card may be used as an ID reference. Receiving a designation of an electronic account may include receiving a credit card issuer, a debit card issuer, or a bank name. Receiving a designation of an electronic account may include receiving a designation of an insurance policy. Receiving an account institution name may include receiving the name of the insurance company.

The method 121 may include, in step 125, analyzing, with the server computer, the one or more ID proof references associated with the named person to determine a confidence interval, and displaying the confidence interval to the named person or a delegate thereof via the GUI. As shown in FIG. 1B, the method may loop through steps 122 and 124, each time with the named person or delegate adding another ID proof reference until the displayed confidence interval meets a desired or pre-determined confidence interval. In the case of such looping, step 122 may refer to maintaining the GUI, rather than displaying a different GUI. In this example, the GUI may also display the confidence interval. Optionally, the server computer may continue to prompt the user to enter another ID proof reference until the confidence interval meets a pre-determined confidence interval.

FIG. 2 is a diagram 200 showing several illustrative identity (ID) proof references 202, according to embodiments. The ID proof references 202 may be viewed, collectively, as delegated identity, which may be accessed according to a decentralized, permission-based protocol.

The storage and maintenance of self-sovereign identity data may be delegated to the institutions which are actively engaged in our lives. This may ensure the digital identity is constructed from the most current and highest quality data, rather than stale data. This delegated identity approach also makes identity difficult to hack, since the data spans a network of machines.

FIG. 3 is a diagram 300 showing cross-referencing between several ID proof references 202, according to embodiments. A consensus opinion may be triangulated by cross-referencing data across multiple institutions, according to embodiments. For example, a residential address 304, 306 associated with a person may be parsed from records maintained or stored in several ID proof reference documents and electronic databases 202 a, 202 b. Each affirming ID proof (institution/database/document) reference 202 a having a common value 304 for an attribute (e.g., residential address) increases the fidelity of the digital identity and reduces the likelihood that the identity is fraudulent. Each non-affirming ID proof reference 202 b having non-consistent values 306 for the attribute may not increase or may decrease the fidelity of the digital identity and thus increase the likelihood that the identity is fraudulent. The number and/or type of affirming ID proof references 202 a having a common value 304 versus the number and/or type of non-affirming ID proof references 202 b having non-consistent values 306 may be used to calculate a confidence interval related to the certainty of the digital identity.

The inventor contemplates several ways of calculating the confidence interval. The confidence interval may be expressed as a percentage 0% to 100%, or as a decimal interval between 0.0 and 1.0, for example. According to an embodiment, the confidence interval may be calculated by assigning a relevance from 0.0 to 1.0 to each ID proof reference (e.g., an institution, a database, and/or a document) 202, multiplying each affirming ID proof reference 202 a by its relevance to form an affirming ID proof reference relevance, multiplying each non-affirming ID proof reference 202 b by its relevance to form a non-affirming ID proof reference relevance, and dividing a sum of affirming ID proof reference relevances by a quantity of a sum of ID proof reference non-affirming relevances plus the sum of affirming ID proof reference relevances. This approach may optionally be repeated with other attributes found across plural entities, and the result combined with results for a first attribute to generate the confidence interval. In another embodiment, ID proof references may contribute to increasing a confidence interval whether or not they share a common attribute. Alternatively, other formulas may be used to calculate a confidence interval that aggregates quality, number, and consistency of ID proof references.

FIG. 4 is a flow chart showing a computer method 400 for establishing a secure ID, according to an embodiment.

According to an embodiment, a computer method 400 for establishing a secure identity (ID) includes, in step 402, receiving, into a computer memory of a server computer, a global ID associated with a particular person.

FIG. 5 is a diagram of a graphical user interface (GUI) 500 for receiving a global ID from a user, according to an embodiment.

Referring again to FIG. 4 , step 404 includes receiving, into the computer memory, an actual name of the particular person. Step 406 includes receiving, into the computer memory, a verified identifier of a personal electronic device associated with the particular person. Step 410 includes receiving, into the computer memory, a first plurality of ID proof references associated with the particular person. Step 412 includes generating at least one private key associated with the global ID.

FIG. 6 is a diagram of a GUI 600 that may be displayed to a user during generation of at least one private key, according to an embodiment.

Referring again to FIG. 4 , step 414 includes generating at least one public key associated with the global ID.

FIG. 7 is a diagram of a GUI 700 that may be displayed to a user during generation of at least one public key, according to an embodiment.

Referring again to FIG. 4 , step 416 includes using the public key or a password to encrypt the actual name, the personal electronic device identifier, and the first plurality of ID proof references as encrypted ID data. Step 418 includes immutably storing the global ID and the encrypted ID data in a plurality of non-transitory computer readable memories.

In an embodiment, immutably storing the global ID and the encrypted ID data in the plurality of non-transitory computer readable memories, in step 418, includes immutably storing the global ID, the encrypted ID data, and the at least one in a blockchain transaction carried by the plurality of non-transitory computer readable memories, in which the public and private key are associated with a wallet designated as an endpoint in the blockchain transaction.

According to an embodiment, the computer method 400 further includes, in step 408, establishing a communication channel with the personal electronic device. In one embodiment, establishing a communication channel with the personal electronic device, in step 408, includes receiving, into the computer memory, access data for the personal electronic device. In another embodiment, establishing a communication channel with the personal electronic device, in step 408, includes installing, on the personal electronic device, an application configured to receive push notifications from the server computer.

According to an embodiment, the computer method 400 further includes, in step 420, encrypting the public key used for the encryption of the ID data, and in step 422, outputting the encrypted public key for storage on the personal electronic device. In an embodiment, outputting the encrypted public key includes outputting the encrypted public key to an application installed on the personal electronic device.

FIG. 8 is a diagram 800 showing relationships between data elements carried by a personal electronic device 802 and a blockchain 804, according to embodiments.

In an embodiment, referring to FIGS. 4 and 5 , receiving the global ID associated with the particular person, in step 402, includes receiving an entry or selection of the global ID via a graphical user interface (GUI) displayed on an electronic display of the personal electronic device.

In one embodiment, receiving the global ID, in step 402, includes receiving a sequence of characters, querying for the sequence of characters to determine that the sequence of characters is not assigned as a global ID, and writing the sequence of characters into the computer memory as the global ID for the user.

In another embodiment, receiving the global ID, in step 402, includes receiving a sequence of characters from a user via a GUI, querying for the sequence of characters to determine that the sequence of characters is already assigned as a global ID, generating one or more alternative sequences of characters that are not already assigned as global IDs, presenting the one or more alternative sequences of characters to the user via the GUI, followed by receiving, from the user via the GUI, a selection of one alternative sequence of characters, and writing the sequence of characters into the computer memory as the global ID for the user.

Referring to FIG. 4 , in one embodiment, receiving the actual name of the particular person, in step 404, includes receiving an entry or selection of the actual name via the GUI displayed on the electronic display of the personal electronic device. In another embodiment, receiving the actual name of the particular person, in step 404, includes parsing, from the first plurality of ID proof references associated with the particular person, the actual name of the particular person.

In an embodiment, the personal electronic device is an electronic device secured by a biometric.

In an embodiment, receiving a verified identifier of a personal electronic device associated with the particular person, in step 406, includes querying the personal electronic device for a hardware identifier and receiving the hardware identifier in an encrypted data transmission.

In an embodiment, the hardware identifier may include a unique device identifier. In an embodiment, the hardware identifier may include at least one selected from a group consisting of the International Mobile Equipment Identifier (IMEI), Android ID, iPhone ID, WLAN MAC address string, and Bluetooth address string. In an embodiment, the hardware identifier may include a SIM card ID.

FIGS. 9 and 10 are diagrams of a GUI for receiving the first plurality of ID proof references, where the ID proof reference is a physical document, according to embodiments.

In an embodiment, receiving a first plurality of ID proof references associated with the particular person, in step 410, includes displaying an ID reference entry form as a GUI displayed on an electronic display of the personal electronic device, receiving a designation of an ID reference type via the GUI, and receiving at least one ID reference attribute via the GUI. In an embodiment, receiving a designation of an ID reference type may include receiving a designation of a physical document. In an embodiment, receiving at least one ID reference attribute may include capturing a digital image of the physical document.

In an embodiment, the physical document may include a passport. In another embodiment, the physical document may include a birth certificate. In another embodiment, the physical document may include a Social Security card.

FIGS. 11 and 12 are diagrams 1100, 1200 of a GUI for receiving the first plurality of ID proof references, where the ID proof reference is an electronic account, according to embodiments. According to embodiments, a user may link a digital identity to a non-member institution, as illustrated by the GUIs shown in FIGS. 11 and 12 . When customers want to link their identity to an institution that is not participating in the Global Identity Network, the global identity server may use a robot emulator to scrape data. However, most financial institutions have already published APIs to provide more secure alternatives to screen-scrape robots. A link to a member institution may make use of a complete registration protocol with cryptographic proof of identity and auditable permission, wherein the global identity system is able to directly access data corresponding to an account of the person.

In an embodiment, receiving a designation of an ID reference type includes receiving a designation of an electronic account. In an embodiment, receiving at least one ID reference attribute includes receiving an account institution and an account number. In an embodiment, receiving an account institution may include receiving a credit or debit card issuer. In an embodiment, receiving an account institution may include receiving a bank name or a routing number.

In an embodiment, receiving a designation of an electronic account may include receiving a designation of an insurance policy. In an embodiment, receiving the account institution may include receiving the name of the insurance company.

FIG. 13 is a diagram of a GUI 1300 for displaying an ID confidence interval to a user, according to an embodiment.

According to an embodiment, referring again to FIG. 4 , the computer method 400 includes analyzing the first plurality of ID proof references associated with the particular person to determine a confidence interval, and displaying the confidence interval to the user via the GUI.

In an embodiment, encrypting the actual name, the personal electronic device identifier, and the first plurality of ID proof references as encrypted ID data, in step 416, includes performing a digital hash of the actual name, the personal electronic device identifier, and the first plurality of ID proof references.

In an embodiment, immutably storing the global ID, the associated encrypted ID data, and the at least one public key for decrypting an ID verification in one or more computer memories, in step 418, includes writing hashed values of the global ID, the associated encrypted ID data, and the at least one public key for decrypting an ID verification to a blockchain as a transaction.

In one embodiment, the blockchain may include a public blockchain. In an embodiment, the public blockchain may include an Etherium blockchain. In an embodiment, the Etherium blockchain may include an ERC20 blockchain.

In an embodiment, the blockchain may include a private blockchain. In another embodiment, the blockchain includes a permissioned blockchain.

FIG. 14 is a diagram 1400 showing relationships between data elements carried by a personal electronic device 802, a blockchain 804, and a credit card company 1402 server, the credit card company 1402 acting as an ID proof reference and with the private key displaying a card not present e-commerce source of payment, according to an embodiment.

FIG. 15 is a flow chart showing a computer method 1500 for verifying a secure identity, according to an embodiment.

According to an embodiment, a computer method 1500 for verifying a secure global identity (ID) includes, in step 1502, receiving, into a server computer, a global ID verification challenge from a counterparty via a network interface. Step 1504 includes reading, with the server computer, encrypted ID data from one or more non-transitory computer readable memories. Step 1508 includes parsing, with the server computer, the encrypted ID data to obtain a verified identifier of a personal electronic device corresponding to the global ID. Step 1510 includes transmitting, from the server computer, the global ID verification challenge to a personal electronic device of a particular person. Step 1512 includes receiving, with the server computer, an acknowledgement of the global ID verification challenge from the personal electronic device via an input into a GUI of the personal electronic device by the particular person to whom the global ID corresponds. Step 1518 includes transmitting, from the server computer, a response to the global ID verification challenge to the counterparty.

In an embodiment, the computer method 1500 further includes, in step 1506, reading, with the server computer, personal electronic device access data.

In an embodiment, the computer method 1500 further includes, in step 1514, accessing, with the server computer, a first plurality of ID proof references to verify the global ID. Step 1516 includes generating, with the server computer, an ID confidence interval as a function of a strength of the first plurality of ID proof references. Step 1520 includes transmitting the ID confidence interval from the server computer to the counterparty.

In an embodiment, the transmitting of the global ID verification challenge to the personal electronic device, in step 1510, includes transmitting a requirement to provide a biometric proof. In an embodiment, the receiving of the acknowledgement of the global ID verification challenge, in step 1512, includes enabling the acknowledgement using the biometric proof.

In an embodiment, the computer method 1500 further includes accessing, with the server computer, a second plurality of ID proof references to verify the global ID; generating, with the server computer, an ID confidence interval as a function of a strength of the second plurality of ID proof references; and transmitting the ID confidence interval from the server computer to the counterparty.

In an embodiment, the transmitting of the global ID verification challenge to the personal electronic device, in step 1510, includes transmitting at least a partial list of the first plurality of ID proof references to the personal electronic device. In an embodiment, the receiving of the acknowledgement of the global ID verification challenge, in step 1512, includes receiving a designation of at least a subset of the at least partial list of the first plurality of ID proof references. In an embodiment, the second plurality of ID proof references is equal to the designated at least a subset of the at least partial list of the first plurality of ID proof references.

In an embodiment, the accessing of the first plurality of the ID proof references to verify the global ID, in step 1514, includes accessing a web page of a first ID proof reference, entering a first account number corresponding to the particular person, screen scraping displayed first account information, and parsing a first attribute of the first account.

In an embodiment, the accessing of the second plurality of the ID proof references to verify the global ID, in step 1514, includes parsing a first attribute associated with a first ID proof reference, parsing a first attribute associated with a second ID proof reference, and comparing the respective first attributes to determine a match between the first attributes.

In one embodiment, the first attributes may include matching residential addresses. In another embodiment, the first attributes may include respective digital photographs of the particular person.

In an embodiment, the accessing of the second plurality of the ID proof references to verify the global ID, in step 1514, includes parsing a first attribute associated with a first ID proof reference, parsing a second attribute associated with a second ID proof reference, and comparing the first and the second attributes to determine a match between the first and the second attributes.

In one embodiment, the first attribute may include a reference to the second attribute associated with the second ID proof reference. The second attribute may form a recursive validation of the first attribute. In another embodiment, the first attribute may include an account number associated with the second ID proof reference.

FIG. 16 is a diagram 1600 illustrating interactions between an e-commerce retailer's website or application 1602, and a GUI 1604 for providing a secure response to a cryptographic identity challenge, according to an embodiment.

Referring to FIG. 16 , the receiving of the acknowledgement of the global ID verification challenge from the personal electronic device, in step 1512, includes authorizing, by the particular person, shopping via an e-commerce website 1602, purchase via the personal electronic device using the GUI 1604. The computer method 1500 is initiated by the particular person selecting a tokenized credit card for payment of the purchase.

FIG. 17 is a diagram 1700 showing GUIs for one click underwriting using a lender's website 1702 and a GUI 1704 for entering authorization for access to financial information via a response to a digital challenge, according to embodiments.

Referring to FIG. 17 , the counterparty is a lender. The receiving of the acknowledgement of the global ID verification challenge from the personal electronic device, in step 1512, includes presenting, via the GUI 1704 displayed by the personal electronic device, a list of information from ID references requested by a lender, and receiving, at the server computer, an agreement from the particular person to proceed with providing the information and completing an online application for credit or a loan from the lender.

According to an embodiment, the personal electronic device associated with the particular person includes a personal electronic device that is in sole possession of the particular person. In an embodiment, the personal electronic device includes a personal electronic device configured to be accessed by a biometric characteristic of the particular person.

According to embodiments, possession of a Private Key (information) is replaced with possession of a registered personal electronic device, such as a smartphone as proof of identity. Registration on the blockchain includes publishing a person's private key and registering the person's IMEI (Hardware ID) Hash, according to an embodiment. Registration on the blockchain gives others a way to verify that a transaction was signed by the person, and sent from the person's personal device.

One use of embodiments is related to “know your customer” (KYC) document capture.

A user may scan, upload and encrypt legacy documents to serve as a kernel for a new Digital Identity, as illustrated by the GUIs shown in FIGS. 9 and 10 . This may provide a baseline to conform to existing KYC regulations in most global jurisdictions.

Various additional uses are contemplated. For example, the personal device may operate as a digital passport, wherein the user presents their smartphone at an Immigrations Gate and the user authorizes temporary access to their passport using a biometric response to a digital challenge.

Other applications or uses may include:

-   -   Security: Everything that is locked automatically unlocks for         the right people.     -   Personalization: The waiter tells you they've received a case of         your favorite vintage, even though you've never been to this         restaurant before.     -   Shopping: You can buy anything you see and have it shipped with         just a word.     -   Medical Care: The emergency room lab tech knows that you are         allergic to penicillin even though you are unconscious.     -   Everyday: The teacher knows that you gave your neighbor         permission to pick your kid up from school today.     -   Legal and Finance: You can refinance your home from your phone,         without forms or paperwork.     -   Job Application: With your consent, your prospective employer         can verify your work history and academic record in an instant.

According to embodiments, a protocol for enabling communications related to ID management may include several commands and responses. Some commands may include:

-   -   Publish new Identity     -   Upload KYC Document     -   Link an Institution     -   Perform Digital Challenge     -   Request Data Permission     -   Grant Data Permission     -   Publish Document for Signature

Linking an institution may include several steps. (Conceptually, this is similar in mechanism to “Friending” someone on a social medium):

-   -   1. User formats Link Request with:         -   a. target's Global ID;         -   b. Permission to access identity data packet;         -   c. (optional) Nickname: foreign key that represents the             Target on User's application;         -   d. (optional) Account ID: foreign keys to Target's             proprietary application.     -   2. User encrypts the LinkRequest with their Public Key.     -   3. Target verifies authenticity using User's Global ID ->Public         Keys.     -   4. Target uses the Permission to retrieve Identity data packet.     -   5. Target interrogates data packet to substantiate the User's         functional data.     -   6. Target cross-references functional data against User-provided         foreign keys to satisfy their proprietary KYC and anti-fraud         processes.     -   7. Target accepts LinkRequest.         -   a. Returns their foreign keys and method access path.     -   8. (else) Target declines LinkRequest.         -   a. Error message.

Verifying authenticity of an ID using methods herein may include inputting:

-   -   Global ID,     -   an Encrypted Message, and     -   a Clear Message.

The computer executes

-   -   1. Lookup Public Keys on BC     -   2. Apply Public Keys to Encrypted Message     -   3. (if decrypted message==clear message) return TRUE else FALSE

According to embodiments, there are several core design principles that are contemplated for the disclosed system and methods presented herein:

-   -   Self-Sovereign: The private data which makes up a Digital         Identity should remain entirely in the control of the individual         whose identity is described.     -   Delegated Data: a decentralized, permission-based protocol         delegates the storage and maintenance of identity data to the         institutions which are actively engaged in the lives of users.     -   Cryptographic Proofs: Public/Private key cryptography affirms         that each active User and Institution is precisely who they         claim to be, and to enforce the privileges and rights of each.     -   Personal Device: A Personal Computing Device with a Secure         Element, registered to be in the possession of the User serves         as a reference form factor.     -   Probabilistic Identity: Fraud may be prevented by scoring each         digital proof with a Confidence Interval to represent the degree         of certainty, allowing parties to set their own policies and         tolerance for risk.

While various aspects and embodiments have been disclosed herein, other aspects and embodiments are contemplated. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims. 

1. A computer method for establishing a secure digital identity (ID) and graphical user interface (GUI) therefor, comprising: presenting, on an electronic display, a GUI including one or more entry fields for receiving an actual name of a person and a designation of one or more ID proof references corresponding to the named person; receiving into a server computer, via the GUI, inputs including the actual name and the one or more ID proof references associated with the named person; obtaining a global ID corresponding to the named person, the global ID comprising a universally unique character string that does not include the actual name; encrypting the actual name and the one or more ID proof references; immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID; receiving an identifier corresponding to a personal electronic device associated with the person; and storing data corresponding to the personal electronic device identifier at a network location associated with the global ID.
 2. The computer method of claim 1, further comprising: receiving, from a counterparty device into a server computer, a global ID challenge; transmitting a message requesting acknowledgement to the personal electronic device; receiving an acknowledgement of the global ID challenge from the personal electronic device; and transmitting, from the server computer to the counterparty device, a response to the global ID challenge.
 3. The computer method of claim 2, wherein receiving the acknowledgement of the global ID challenge from the personal electronic device includes receiving input from the person indicating the global ID challenge is to be responded to in the affirmative.
 4. The computer method of claim 3, wherein receiving input from the person includes receiving input from the person who is biometrically identified as the particular person corresponding to the global ID, the actual name, and the one or more ID proof references.
 5. The computer method of claim 2, wherein transmitting a message requesting acknowledgement to the personal electronic device includes transmitting an encrypted message requesting acknowledgement to the personal electronic device.
 6. The computer method of claim 1, further comprising: generating a public-private key pair comprising a public key and a private key; and associating the public-private key pair with the global ID.
 7. The computer method of claim 6, wherein encrypting the actual name and the one or more ID proof references includes encrypting the actual name and the one or more ID proof references using the private key.
 8. The computer method of claim 6, wherein obtaining the global ID includes receiving an entry of a character string via a control of a GUI displayed on the personal electronic device; and determining there is no other global ID using the same character string; and wherein associating the public-private key pair with the global ID includes writing the global ID and the public key to a database defining the association.
 9. The computer method of claim 6, wherein the public key comprises the global ID.
 10. The computer method of claim 6, further comprising: hashing the public key to generate a blockchain wallet address; wherein the blockchain wallet address comprises the global ID.
 11. The computer method of claim 6, wherein immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID includes broadcasting a blockchain transaction including a blockchain wallet associated with the public-private key pair as an endpoint, the blockchain transaction including a field carrying a content-identified address in a content-identified storage network, the content-identified address providing a link to the encrypted actual name and the one or more ID proof references.
 12. The computer method of claim 1, wherein immutably storing the encrypted actual name and the one or more ID proof references at one or more network locations associated with the global ID includes pinning the encrypted actual name and the one or more ID proof references in a content-identified storage network.
 13. The computer method of claim 1, further comprising: establishing a communication channel between the personal electronic device and the server computer.
 14. The computer method of claim 13, wherein establishing the communication channel between the personal electronic device and the server computer includes: receiving, from the personal electronic device into the server computer, an encryption key corresponding to a secure enclave of the personal electronic device for encrypting messages transmitted from the server computer to the personal electronic device; and transmitting, to the personal electronic device, an encryption key for encrypting messages transmitted from the personal electronic device to the server computer; whereby ID challenges and responses thereto, respectively transmitted to and received from the personal electronic device are encrypted and secure.
 15. The computer method of claim 13, wherein establishing the communication channel between the personal electronic device and the server computer includes writing, into a non-transitory computer memory of the server computer, access data for the personal electronic device.
 16. The computer method of claim 13, wherein establishing the communication channel between the personal electronic device and the server computer includes installing, on the personal electronic device, an application configured to receive push notifications from the server computer.
 17. The computer method of claim 1, further comprising: encrypting a public key or password used for the encryption of the actual data and the one or more ID proof references; and transmitting the encrypted public key or password from the server computer to the personal electronic device for storage on the personal electronic device.
 18. The computer method of claim 17, wherein transmitting the encrypted public key or password includes transmitting the encrypted public key to a secure enclave on the personal electronic device; and wherein an application installed on the personal electronic device is provided access to receive data from the server computer and encrypt data for transmission to the server computer via the secure enclave.
 19. The computer method of claim 1, wherein a public key or password used for encrypting the actual name and the one or more ID proof references is held in custody and not revealed to the named person.
 20. The computer method of claim 1, wherein the global ID is held in custody and not revealed to the named person.
 21. The computer method of claim 1, further comprising: computing a confidence interval associated with the verification of the actual name provided by the one or more ID proof references; and causing display of the confidence interval in a GUI displayed on the electronic display that presented the one or more entry fields.
 22. The computer method of claim 19, further comprising: re-computing and displaying the confidence interval when one or more additional ID proof references are received by the server computer via the GUI on the electronic display.
 23. The computer method of claim 1, wherein receiving the identifier corresponding to the personal electronic device associated with the person includes querying the personal electronic device for a hardware identifier and receiving the hardware identifier in an encrypted data transmission.
 24. The computer method of claim 1, wherein presenting, on the electronic display, the GUI including one or more entry fields for designating the one or more ID proof references includes driving the display, by the server computer, to display an ID reference entry form as a GUI displayed on an electronic display of the personal electronic device; and wherein receiving inputs including the actual name and the one or more ID proof references includes: receiving a designation of an ID reference type via the GUI; and receiving at least one ID reference attribute via the GUI.
 25. The computer method of claim 24, wherein receiving a designation of an ID reference type includes receiving a designation of a physical document; and wherein receiving at least one ID reference attribute includes capturing a digital image of the physical document.
 26. The computer method of claim 25, wherein the physical document includes one or more of a passport, birth certificate, and a Social Security card.
 27. The computer method of claim 24, wherein receiving a designation of an ID reference type includes receiving a designation of an electronic account; and wherein receiving at least one ID reference attribute includes receiving an account institution and an account number via the GUI.
 28. The computer method of claim 27, wherein receiving an account institution includes receiving at least one of a credit card issuer, a debit card issuer, and a bank name.
 29. The computer method of claim 26, wherein receiving a designation of an electronic account includes receiving a designation of an insurance policy; and wherein receiving the account institution includes receiving the name of the insurance company.
 30. The computer method of claim 1, further comprising: analyzing, with the server computer, the one or more ID proof references associated with the named person to determine a confidence interval; and displaying the confidence interval to the user via the GUI.
 31. The computer method of claim 1, wherein the electronic display for displaying a GUI is an electronic display of the personal electronic device. 32-63. (canceled) 